j2me https negotiation - Client Certificate

Forum for J2ME mobile games related topics including programming doubts, books and other resources for J2ME game development

j2me https negotiation - Client Certificate

Postby menis » Tue Dec 04, 2007 7:42 pm

Hello all,

I am developing a j2me application and i am extremely concerned about the security
and encryption of data. I am planning to implement this using the https implementation
of java for MIDP2.0 profile and cldc1.1 configuration.

My question concerns how exactly the kvm performs the https negotiation beetween the sever
and the client and particularly if the client sends a certificate, so the sever knows that
the request is from a valid source.

Lets examine the following scenario:
I have a digitally signed Midlet and i have a https server with a valid certificate.The Midlet
performs a https connection with the server.During the "handshake" client and server exchange
some messages so they can authenticate each other.
I know that server's Certificate is used and client can authenticate that server is a trusted source.
Does this happen also from client side? Meaning that the client Midlet is using it's own certificate?
What certificate? Does the programmer have to implement/materialize anything or this is done
automatically and transparently from kvm?

Please Advice

Posts: 12
Joined: Sun Nov 25, 2007 6:11 pm

Re: j2me https negotiation - Client Certificate

Postby DevelopmentTeam » Wed Dec 05, 2007 3:27 am

There is a very good document explaining https connection from sun developers. please check this and if you have further questions let us proceed. :) http://developers.sun.com/mobility/midp/articles/https/
User avatar
Site Admin
Posts: 661
Joined: Tue Aug 15, 2006 8:39 am
Location: India

Re: j2me https negotiation - Client Certificate

Postby menis » Wed Dec 05, 2007 2:44 pm


As i can see the in the url that you have posted ...
"...The Kilobyte SSL (or kSSL) is a client-side implementation of SSL version 3.0. It supports the most commonly used cipher suites,
such as RSA_RC4_128_MD5 and RSA_RC4_40_MD5. Note that kSSL doesn't support client-side authentication,..."

So i suppose that (Unfortunately) no client certificate is involved in the client server handshake.

Subsequently the question that arises is how the server can be sure (lets suppose in an e-commerce business model)
that the j2me client that requests data is a legitimate one, and NOT a malicious Midlet that imitates the behaviour
of a normal Midlet in order to steal data and stuff...? Can you suggest any satisfying mechanism? Can SATSA API
can be helpful on this direction?
Posts: 12
Joined: Sun Nov 25, 2007 6:11 pm

Return to J2ME Games

Who is online

Users browsing this forum: No registered users and 2 guests